“Dirty COW” Linux Kernel Exploit Seen in the Wild

A new Linux kernel vulnerability disclosed on Wednesday allows an unprivileged local attacker to escalate their privileges on a targeted system. Red Hat said it was aware of an exploit in the wild.

The vulnerability, discovered by Phil Oester, was sarcastically dubbed by some people “Dirty COW” due to the fact that it’s caused by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.

The security hole, tracked as CVE-2016-5195, allows local attackers to escalate their privileges on the targeted system by modifying existing setuid files, Red Had said in its advisory.

“An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system,” the company explained.

Red Hat, which classified the flaw as “important,” said it was aware of an exploit leveraging this technique in the wild, but the company has not shared any other information. A fix has already been developed and Linux distributions have started releasing updates.

An increasing number of vulnerabilities have been branded since the discovery of Heartbleed. While some believe that branding a flaw could have a positive impact, others are concerned that branding even low-risk issues could lead to companies ignoring the vulnerabilities that really matter.

The people who created the Dirty COW website, logo and Twitter account have admitted that this vulnerability is not as serious as others and they claim to have branded it to make fun of branded flaws. They even created a shop that sells “Dirty COW” mugs and t-shirts for thousands of dollars.

Linux Kernel Vulnerabilities

Google security researcher Kees Cook has analyzed the Linux kernel vulnerabilities discovered since 2011 in an effort to determine for how long they go unnoticed after they are introduced in a Linux release.

Based on the analysis of 557 CVE identifiers assigned to Linux kernel flaws since 2011, Cook determined that their average lifespan is roughly 5 years. According to the expert, high severity issues are fixed after 6.4 years, while critical issues are discovered, on average, after 3.3 years.